From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-44987-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1Q3D8r-0003rw-GY
	for garchives@archives.gentoo.org; Fri, 25 Mar 2011 19:57:56 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id E50A81C076;
	Fri, 25 Mar 2011 19:57:38 +0000 (UTC)
Received: from rrzmta2.uni-regensburg.de (rrzmta2.uni-regensburg.de [194.94.155.52])
	by pigeon.gentoo.org (Postfix) with ESMTP id 1F37E1C040
	for <gentoo-dev@lists.gentoo.org>; Fri, 25 Mar 2011 19:57:13 +0000 (UTC)
Received: from rrzmta2.uni-regensburg.de (localhost [127.0.0.1])
	by localhost (Postfix) with SMTP id 353D4381A
	for <gentoo-dev@lists.gentoo.org>; Fri, 25 Mar 2011 20:57:11 +0100 (CET)
Received: from grenadine.localnet (pc59050.uni-regensburg.de [132.199.102.87])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	(Authenticated sender: hua59129)
	by rrzmta2.uni-regensburg.de (Postfix) with ESMTPSA id 2A681377D
	for <gentoo-dev@lists.gentoo.org>; Fri, 25 Mar 2011 20:57:11 +0100 (CET)
From: "Andreas K. Huettel" <dilfridge@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Re: rejecting unsigned commits
Date: Fri, 25 Mar 2011 20:57:22 +0100
User-Agent: KMail/1.13.6 (Linux/2.6.36-gentoo-r5; KDE/4.6.1; x86_64; ; )
References: <AANLkTi=4o69ytUxAVpy-O31AWQv-5p4bEWD2466NWYGx@mail.gmail.com> <20110325074824.TAf2c206.tv@veller.net> <AANLkTingt5eXb5fx3=a9xVd63Qcc9HDJJSOKEfLnG19O@mail.gmail.com>
In-Reply-To: <AANLkTingt5eXb5fx3=a9xVd63Qcc9HDJJSOKEfLnG19O@mail.gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/signed;
  boundary="nextPart4758920.9WT10EkHTE";
  protocol="application/pgp-signature";
  micalg=pgp-sha512
Content-Transfer-Encoding: 7bit
Message-Id: <201103252057.22740.dilfridge@gentoo.org>
X-Archives-Salt: 
X-Archives-Hash: 073dd34042360855070ae4fcbd04795e

--nextPart4758920.9WT10EkHTE
Content-Type: Text/Plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

> > Do you want to reject signed commits if
> > - keys are not publicly available [1]
>=20
> no.  e-mail warnings will be issued so that the dev can upload it
> after the fact.

Why? I'm pretty sure someone will forget. (Or try to trick the system.)

> > - keys are revoked [3]
>=20
> yes

Only if the signature was made after the date/time of the revocation.

> > - keys are not listed in userinfo.xml (current or former devs) [4]
>=20
> no.  you can sign a key with your personal key and that's good enough.

Heh. Yes, if there is a validity that can be checked in an automated way. W=
hich means a signature on the userid. A chain of trust can of course be imp=
lemented in many ways, but requiring the user to download the entire strong=
 set is not an option. :o)

The @gentoo.org email addresses are advantageous because they provide a pre=
=2Dexisting identification. Which is as strong as we will ever get with thi=
s mechanism (I think).

=2D-=20
Andreas K. Huettel
Gentoo Linux developer - kde, sci, arm, tex
dilfridge@gentoo.org
http://www.akhuettel.de/

--nextPart4758920.9WT10EkHTE
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iQIcBAABCgAGBQJNjPOiAAoJEEb+UGWnxTyHTC4QAIO3ug9ioRWHqVQF+RnY01CO
qYmIhb62OI8ci1Ac/TzyggdvinJ434TvEVgzyDGT14Z+9d8lVBRQSvEJQYpJS6kX
rFdgponvtJkpb8DCIYR2M8EINgE4pFGLKTbpDX8xSlktCFhMhMzTJXXgWWTnmcDa
vZG8UkE7Aufk0A5EHbu1GAuZM2zrHcB+CP2Z0Q4Jq7qPZHpIzVuyS31csdGP+CnS
0CBfu9xXi/DU79l6relbUL9xVvhICC1OmQe6WjWd4iwrJU9/YhWkluTz4LmAoSno
6qvV9x/PXp38TTO5K2c3c0NyVyksYQAPqzwDxkuYvYFT7JO67d4eK7wjS19cVe9p
5AQA+0Mw+ldzXGWXtgQdHa7LwEV/XRV9iW2OphFB40O7H8wXZazL4pq/JxAMpov0
H+eejg2PJbYalCLZ8NlmQpo/9tB7fxVGouC0+tvujU7JiInW4JGGyd7uGoXaDKYv
IP7+VntFn4J39AzQbQ2i4dEamIPLFOBEzhEKYshtlQ5hOgHjvurmLKY/T2mslSFI
NpdQPhD3SLj9Pz1gE1GRcPcedqzXGlg7hBKe4teNwy1qo2YzGJfzIygIqGnoc/mI
115sb0k3aWn6kljfOKxJCCluAGZ1qUljpQtTgcmekRptPMIRnhLeEag3zND+8RxM
DxVCMNWBhpanXfQHoJA5
=XfCj
-----END PGP SIGNATURE-----

--nextPart4758920.9WT10EkHTE--